Exchange 2016 Directory-Services-SAM Event ID 16969

Article
2018-11-15

Question

_{Thursday, November 15, 2018 5:05 PM}

Hello,

I have recently deployed a new Exchange 2016 server in our current SBS 2011 (Server 2008 R2) environment. The SBS 2011 server is the current domain controller. I have noticed that ever since moving the Arbitration system mailboxes from the old Exchange 2010 server to the new Exchange 2016 server I am now receiving a Directory-Services-SAM Event ID 16969 error every 15 minutes which states:

"XXX remote calls to the SAM database have been denied in the past 900 seconds throttling window."

I am not sure if moving the mailboxes is what caused it, but I was not receiving this error before. After checking the domain controller I did not see any policy that specifically defines this security policy so I am not entirely sure what is causing this to fail since in the local security policy on the Exchange 2016 server has the local Administrators defined to allow access. Any idea as to what would be causing this?

Thank you

All replies (4)

_{Wednesday, November 21, 2018 3:46 PM ✅Answered}

Thank you, Manu. I believe I have found the cause to this issue. From what I can tell it turned out to be the SSL certificate on our domain controller and Exchange server. Once I updated it with a new wildcard certificate that covers all possible sub domains in our environment this error simply disappeared. I can not say for certain this is what fixed it, but the errors completely stopped once the new cert was installed.

_{Friday, November 16, 2018 8:32 AM}

Hi,

Have you installed any Windows update recently?
What is your Exchange server version and build number?

As per my knowledge, this issue could occur if the Network access: Restrict clients allowed to make remote calls to SAM policy is enabled. The policy controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and in Active Directory.

This policy is introduced after the following versions of Windows or Windows updates are installed:

Windows 10 Version 1607 and later versions
Windows 10 Version 1511 with KB 4103198 installed
Windows 10 Version 1507 with KB 4012606 installed
Windows 8.1 with KB 4102219 installed
Windows 7 with KB 4012218 installed
Windows Server 2016 RS1 and later versions
Windows Server 2012 R2 with KB 4012219 installed
Windows Server 2012 with KB 4012220 installed
Windows Server 2008 R2 with KB 4012218 installed

To fix this issue, use one of the following methods.

Method 1: Update the policy to allow access
Method 2: Disable the policy

For more information, see AuthZ fails with an Access Denied error when an application does access checks in Windows Server.

Regards,

Manu Meng

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].

Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

_{Friday, November 16, 2018 6:35 PM}

This is a brand new install of Exchange 2016 so no recent updates were applied. The Exchange version is 15.1.1531.3. I would definitely update the policy to allow access but I have no clue which account would need access to this as the local Administrators group, which has the Domain Admins as well as Exchange Admins, already has allow access set on it. Would there be any way to find out which account needs access?

_{Wednesday, November 21, 2018 6:26 AM}